Come Jan 2022, RBI to allow card-on-file data tokenisation

India’s central bank, the Reserve Bank of India (RBI) has now extended tokenisation to include card-on-file (COF) data when its new rules on data storage will come into effect starting January 2022.

According to an RBI statement dated September 7, 2021, the device based framework would now be extended to card on file tokenisation and issuers of cards would be allowed to offer these COF services as token service providers. Further, the statement said that tokenisation of data on the card would be done with the consent of the customer and an additional authentication factor would be included. The RBI said the new rules would ensure that there is no breach of COF data.

Earlier, the RBI permitted only device-based tokenisation framework for payment gateways and aggregators (PGs and PAs). This meant that these gateways or aggregators could not store any customer card details. However, news reports suggest that this new framework raised apprehensions if customers would need to input their card data like the card number, CVC, expiry date each time they carry out e-commerce transactions or at outlets. Such a system while ensuring safety would come in the way of convenience, especially if a customer uses multiple cards or subscription payments. However, the RBI has now clarified that the introduction of the COF tokenisation would improve safety of customer information and also ensure that there would be no need for customers to input their card data for each transaction.

What are PAs/PGs?

According to the RBI’s definition, payment aggregators are those that aid e-commerce websites or merchants to receive/accept from customers any payment instrument to complete their transaction without the merchant having to create their own payment system. Payment gateways are those providing the technology and infrastructure to aid an online transaction to be processed without having to handle any funds.

The RBI, in August 2021, had also extended the tokenisation to include all consumer devices like wearables, IoTs, laptops and desktops. Prior to that, tokenisation was only allowed on devices like tablets and mobile phones. As part of the RBI’s efforts to boost security of payments systems, it introduced tokenisation services through mobile phones and tablets in 2019. In March 2020, the RBI issued guidelines for gateways and aggregators that disallowed them to store customer card or associated data on their servers or databases. Further, the RBI said all payment aggregators would need an RBI authorisation and non-banking firms that offered such services would also need a license.

What is tokenisation?

Tokenisation is the system where a customer’s card details are substituted with a token or a code, which is a unique combination for every card. When a tokenised transaction occurs, there is a token requestor which accepts the customer request for tokenisation. This request is passed on to the card network, which issues a token. The actual details of a card are saved by the card networks authorised in a secure manner. The customer’s data is safe post tokenisation and the requester of the token will not be able to store any details like the PAN or card number.

The types of tokenisation include COF tokenisation and device tokenisation. When it comes to device tokenisation, the token is saved on the device, be it the mobile device, wrist band or a watch. The COF tokenisation involves saving of card number or the UPI handle when a customer makes online payment in recurring scenarios. For instance, in situations where a customer has opted for a subscription payment for a particular OTT channel or a news site, the customer doesn’t need to enter payment details each time.

Conclusion

The RBI has extended its device-based tokenisation system to card-on-file tokenisation services in a bid to boost security of card details and user convenience in card-based transactions. The new rules will be brought into effect from January 1, 2022.

FAQs

What is tokenisation?

Tokenisation involves replacing actual card data with a unique code or token which is of the same length and format of the original data. Tokenisation helps secure sensitive data.

What is card-on-file tokenisation?

Card on file is data that is stored by a merchant or a facilitator of payments; with tokenisation of card-on-file data, customer data is safe.

What is device-based tokenisation?

Device-based tokenisation is where conversion of data into tokens is limited to devices such as mobile phones, laptops, tablets and wearable devices.